if ($ismoving) {
$this->content->icons[] = ' <img align="bottom" src="'.$CFG->pixpath.'/t/move.gif" height="11" width="11" alt="" />';
- $this->content->items[] = $USER->activitycopyname.' (<a href="'.$CFG->wwwroot.'/course/mod.php?cancelcopy=true">'.$strcancel.'</a>)';
+ $this->content->items[] = $USER->activitycopyname.' (<a href="'.$CFG->wwwroot.'/course/mod.php?cancelcopy=true&sesskey='.$USER->sesskey.'">'.$strcancel.'</a>)';
}
if (!empty($section->sequence)) {
if ($mod->id == $USER->activitycopy) {
continue;
}
- $this->content->items[] = '<a title="'.$strmovefull.'" href="'.$CFG->wwwroot.'/course/mod.php?moveto='.$mod->id.'">'.
+ $this->content->items[] = '<a title="'.$strmovefull.'" href="'.$CFG->wwwroot.'/course/mod.php?moveto='.$mod->id.'&sesskey='.$USER->sesskey.'">'.
'<img height="16" width="80" src="'.$CFG->pixpath.'/movehere.gif" alt="'.$strmovehere.'" border="0" /></a>';
$this->content->icons[] = '';
}
}
if ($ismoving) {
- $this->content->items[] = '<a title="'.$strmovefull.'" href="'.$CFG->wwwroot.'/course/mod.php?movetosection='.$section->id.'">'.
+ $this->content->items[] = '<a title="'.$strmovefull.'" href="'.$CFG->wwwroot.'/course/mod.php?movetosection='.$section->id.'&sesskey='.$USER->sesskey.'">'.
'<img height="16" width="80" src="'.$CFG->pixpath.'/movehere.gif" alt="'.$strmovehere.'" border="0" /></a>';
$this->content->icons[] = '';
}
echo "<tr>";
echo "<td colspan=\"3\" valign=\"top\" bgcolor=\"$THEME->cellcontent\" class=\"topicoutlineclip\" width=\"100%\">";
echo "<p><font size=\"2\">";
- echo "$stractivityclipboard (<a href=\"mod.php?cancelcopy=true\">$strcancel</a>)";
+ echo "$stractivityclipboard (<a href=\"mod.php?cancelcopy=true&sesskey=$USER->sesskey\">$strcancel</a>)";
echo "</font></p>";
echo "</td>";
echo "</tr>";
echo "<tr>";
echo "<td colspan=\"3\" valign=\"top\" bgcolor=\"$THEME->cellcontent\" class=\"weeklyoutlineclip\" width=\"100%\">";
echo "<p><font size=\"2\">";
- echo "$stractivityclipboard (<a href=\"mod.php?cancelcopy=true\">$strcancel</a>)";
+ echo "$stractivityclipboard (<a href=\"mod.php?cancelcopy=true&sesskey=$USER->sesskey\">$strcancel</a>)";
echo "</font></p>";
echo "</td>";
echo "</tr>";
continue;
}
echo '<a title="'.$strmovefull.'"'.
- ' href="'.$CFG->wwwroot.'/course/mod.php?moveto='.$mod->id.'">'.
+ ' href="'.$CFG->wwwroot.'/course/mod.php?moveto='.$mod->id.'&sesskey='.$USER->sesskey.'">'.
'<img height="16" width="80" src="'.$CFG->pixpath.'/movehere.gif" '.
' alt="'.$strmovehere.'" border="0" /></a><br />
';
}
if ($ismoving) {
echo '<tr><td><a title="'.$strmovefull.'"'.
- ' href="'.$CFG->wwwroot.'/course/mod.php?movetosection='.$section->id.'">'.
+ ' href="'.$CFG->wwwroot.'/course/mod.php?movetosection='.$section->id.'&sesskey='.$USER->sesskey.'">'.
'<img height="16" width="80" src="'.$CFG->pixpath.'/movehere.gif" '.
' alt="'.$strmovehere.'" border="0" /></a></td></tr>
';
function print_section_add_menus($course, $section, $modnames, $vertical=false, $return=false) {
// Prints the menus to add activities and resources
- global $CFG;
+ global $CFG, $USER;
static $straddactivity, $stractivities, $straddresource, $resources;
if (!isset($straddactivity)) {
$output = '';
$output .= '<div align="right"><table align="right"><tr><td>';
- $output .= popup_form("$CFG->wwwroot/course/mod.php?id=$course->id&section=$section&add=",
+ $output .= popup_form("$CFG->wwwroot/course/mod.php?id=$course->id&section=$section&sesskey=$USER->sesskey&add=",
$resources, "ressection$section", "", $straddresource, 'resource/types', $straddresource, true);
$output .= '</td>';
}
$output .= '<td>';
- $output .= popup_form("$CFG->wwwroot/course/mod.php?id=$course->id&section=$section&add=",
+ $output .= popup_form("$CFG->wwwroot/course/mod.php?id=$course->id&section=$section&sesskey=$USER->sesskey&add=",
$modnames, "section$section", "", $straddactivity, 'mods', $straddactivity, true);
$output .= '</td></tr></table>';
$output .= '</div>';
}
function make_editing_buttons($mod, $absolute=false, $moveselect=true, $indent=-1) {
- global $CFG, $THEME;
+ global $CFG, $THEME, $USER;
static $str;
}
if ($mod->visible) {
- $hideshow = "<a title=\"$str->hide\" href=\"$path/mod.php?hide=$mod->id\"><img".
+ $hideshow = "<a title=\"$str->hide\" href=\"$path/mod.php?hide=$mod->id
&sesskey=$USER->sesskey\"><img".
" src=\"$pixpath/t/hide.gif\" hspace=\"2\" height=\"11\" width=\"11\" border=\"0\" alt=\"$str->hide\" /></a> ";
} else {
- $hideshow = "<a title=\"$str->show\" href=\"$path/mod.php?show=$mod->id\"><img".
+ $hideshow = "<a title=\"$str->show\" href=\"$path/mod.php?show=$mod->id
&sesskey=$USER->sesskey\"><img".
" src=\"$pixpath/t/show.gif\" hspace=\"2\" height=\"11\" width=\"11\" ".
"border=\"0\" alt=\"$str->show\" /></a> ";
}
if ($mod->groupmode == SEPARATEGROUPS) {
$grouptitle = $str->groupsseparate;
$groupimage = "$pixpath/t/groups.gif";
- $grouplink = "$path/mod.php?id=$mod->id&groupmode=0";
+ $grouplink = "$path/mod.php?id=$mod->id&groupmode=0&sesskey=$USER->sesskey";
} else if ($mod->groupmode == VISIBLEGROUPS) {
$grouptitle = $str->groupsvisible;
$groupimage = "$pixpath/t/groupv.gif";
- $grouplink = "$path/mod.php?id=$mod->id&groupmode=1";
+ $grouplink = "$path/mod.php?id=$mod->id&groupmode=1&sesskey=$USER->sesskey";
} else {
$grouptitle = $str->groupsnone;
$groupimage = "$pixpath/t/groupn.gif";
- $grouplink = "$path/mod.php?id=$mod->id&groupmode=2";
+ $grouplink = "$path/mod.php?id=$mod->id&groupmode=2&sesskey=$USER->sesskey";
}
if ($mod->groupmodelink) {
$groupmode = "<a title=\"$grouptitle ($str->clicktochange)\" href=\"$grouplink\">".
}
if ($moveselect) {
- $move = "<a title=\"$str->move\" href=\"$path/mod.php?copy=$mod->id\"><img".
+ $move = "<a title=\"$str->move\" href=\"$path/mod.php?copy=$mod->id
&sesskey=$USER->sesskey\"><img".
" src=\"$pixpath/t/move.gif\" hspace=\"2\" height=\"11\" width=\"11\" ".
" border=\"0\" alt=\"$str->move\" /></a>";
} else {
- $move = "<a title=\"$str->moveup\" href=\"$path/mod.php?id=$mod->id&move=-1\"><img".
+ $move = "<a title=\"$str->moveup\" href=\"$path/mod.php?id=$mod->id&move=-1
&sesskey=$USER->sesskey\"><img".
" src=\"$pixpath/t/up.gif\" hspace=\"2\" height=\"11\" width=\"11\" ".
" border=\"0\" alt=\"$str->moveup\" /></a>".
- "<a title=\"$str->movedown\" href=\"$path/mod.php?id=$mod->id&move=1\"><img".
+ "<a title=\"$str->movedown\" href=\"$path/mod.php?id=$mod->id&move=1
&sesskey=$USER->sesskey\"><img".
" src=\"$pixpath/t/down.gif\" hspace=\"2\" height=\"11\" width=\"11\" ".
" border=\"0\" alt=\"$str->movedown\" /></a>";
}
$leftright = "";
if ($indent > 0) {
- $leftright .= "<a title=\"$str->moveleft\" href=\"$path/mod.php?id=$mod->id&indent=-1\"><img".
+ $leftright .= "<a title=\"$str->moveleft\" href=\"$path/mod.php?id=$mod->id&indent=-1
&sesskey=$USER->sesskey\"><img".
" src=\"$pixpath/t/left.gif\" hspace=\"2\" height=\"11\" width=\"11\" ".
" border=\"0\" alt=\"$str->moveleft\" /></a>";
}
if ($indent >= 0) {
- $leftright .= "<a title=\"$str->moveright\" href=\"$path/mod.php?id=$mod->id&indent=1\"><img".
+ $leftright .= "<a title=\"$str->moveright\" href=\"$path/mod.php?id=$mod->id&indent=1
&sesskey=$USER->sesskey\"><img".
" src=\"$pixpath/t/right.gif\" hspace=\"2\" height=\"11\" width=\"11\" ".
" border=\"0\" alt=\"$str->moveright\" /></a>";
}
return "$leftright$move".
- "<a title=\"$str->update\" href=\"$path/mod.php?update=$mod->id\"><img".
+ "<a title=\"$str->update\" href=\"$path/mod.php?update=$mod->id
&sesskey=$USER->sesskey\"><img".
" src=\"$pixpath/t/edit.gif\" hspace=\"2\" height=\"11\" width=\"11\" border=\"0\" ".
" alt=\"$str->update\" /></a>".
// Following line is commented out until this feature is more definite -- martin
- // "<a title=\"$str->duplicate\" href=\"$path/mod.php?duplicate=$mod->id\"> 2 </a>".
- "<a title=\"$str->delete\" href=\"$path/mod.php?delete=$mod->id\"><img".
+ // "<a title=\"$str->duplicate\" href=\"$path/mod.php?duplicate=$mod->id&sesskey=$USER->sesskey\"> 2 </a>".
+ "<a title=\"$str->delete\" href=\"$path/mod.php?delete=$mod->id
&sesskey=$USER->sesskey\"><img".
" src=\"$pixpath/t/delete.gif\" hspace=\"2\" height=\"11\" width=\"11\" border=\"0\" ".
" alt=\"$str->delete\" /></a>$hideshow$groupmode";
}
if (isset($_POST["course"])) { // add or update form submitted
+ //It caller is correct, $SESSION->sesskey must exist and coincide
+ if (empty($SESSION->sesskey) or !confirm_sesskey($SESSION->sesskey)) {
+ error(get_string('confirmsesskeybad', 'error'));
+ }
+
+ //Unset this, check done
+ unset($SESSION->sesskey);
+
if (!$course = get_record("course", "id", $mod->course)) {
error("This course doesn't exist");
}
}
- if (isset($_GET['move'])) {
+ if (isset($_GET['move']) and confirm_sesskey()) {
require_variable($id);
}
exit;
- } else if (isset($_GET['movetosection']) or isset($_GET['moveto'])) {
+ } else if ((isset($_GET['movetosection']) or isset($_GET['moveto'])) and confirm_sesskey()) {
if (! $cm = get_record("course_modules", "id", $USER->activitycopy)) {
error("The copied course module doesn't exist!");
redirect("view.php?id=$section->course");
}
- } else if (isset($_GET['indent'])) {
+ } else if (isset($_GET['indent']) and confirm_sesskey()) {
require_variable($id);
}
exit;
- } else if (isset($_GET['hide'])) {
+ } else if (isset($_GET['hide']) and confirm_sesskey()) {
if (! $cm = get_record("course_modules", "id", $_GET['hide'])) {
error("This course module doesn't exist");
}
exit;
- } else if (isset($_GET['show'])) {
+ } else if (isset($_GET['show']) and confirm_sesskey()) {
if (! $cm = get_record("course_modules", "id", $_GET['show'])) {
error("This course module doesn't exist");
}
exit;
- } else if (isset($_GET['groupmode'])) {
+ } else if (isset($_GET['groupmode']) and confirm_sesskey()) {
if (! $cm = get_record("course_modules", "id", $_GET['id'])) {
error("This course module doesn't exist");
}
exit;
- } else if (isset($_GET['copy'])) { // value = course module
+ } else if (isset($_GET['copy']) and confirm_sesskey()) { // value = course module
if (! $cm = get_record("course_modules", "id", $_GET['copy'])) {
error("This course module doesn't exist");
redirect("view.php?id=$cm->course");
- } else if (isset($_GET['cancelcopy'])) { // value = course module
+ } else if (isset($_GET['cancelcopy']) and confirm_sesskey()) { // value = course module
$courseid = $USER->activitycopycourse;
redirect("view.php?id=$courseid");
- } else if (isset($_GET['delete'])) { // value = course module
+ } else if (isset($_GET['delete']) and confirm_sesskey()) { // value = course module
if (! $cm = get_record("course_modules", "id", $_GET['delete'])) {
error("This course module doesn't exist");
$form->modulename = $module->name;
$form->fullmodulename = $fullmodulename;
$form->instancename = $instance->name;
+ $SESSION->sesskey = !empty($USER->id) ? $USER->sesskey : '';
$strdeletecheck = get_string("deletecheck", "", "$form->fullmodulename");
$strdeletecheckfull = get_string("deletecheckfull", "", "$form->fullmodulename '$form->instancename'");
exit;
- } else if (isset($_GET['update'])) { // value = course module
+ } else if (isset($_GET['update']) and confirm_sesskey()) { // value = course module
if (! $cm = get_record("course_modules", "id", $_GET['update'])) {
error("This course module doesn't exist");
$form->modulename = $module->name;
$form->instance = $cm->instance;
$form->mode = "update";
+ $SESSION->sesskey = !empty($USER->id) ? $USER->sesskey : '';
$sectionname = get_string("name$course->format");
$fullmodulename = strtolower(get_string("modulename", $module->name));
$pageheading = get_string("updatinga", "moodle", $fullmodulename);
}
- } else if (isset($_GET['duplicate'])) { // value = course module
+ } else if (isset($_GET['duplicate']) and confirm_sesskey()) { // value = course module
if (! $cm = get_record("course_modules", "id", $_GET['duplicate'])) {
error("This course module doesn't exist");
$form->modulename = $module->name;
$form->instance = $cm->instance;
$form->mode = "add";
+ $SESSION->sesskey = !empty($USER->id) ? $USER->sesskey : '';
$sectionname = get_string("name$course->format");
$fullmodulename = strtolower(get_string("modulename", $module->name));
}
- } else if (isset($_GET['add'])) {
+ } else if (isset($_GET['add']) and confirm_sesskey()) {
if (empty($_GET['add'])) {
redirect($_SERVER["HTTP_REFERER"]);
$form->instance = "";
$form->coursemodule = "";
$form->mode = "add";
+ $SESSION->sesskey = !empty($USER->id) ? $USER->sesskey : '';
if (isset($_GET['type'])) {
$form->type = $_GET['type'];
}
projects / moodle.git / commitdiff